The error Unable to verify the first certificate occurs in Postman cloud agent because it does not have Trusted Root certificates storage with intermediate and root CA certificates thus cannot verify client → intermediate → root CA chain. Azure Application Gateway does not have Trusted Root certificates storage as well so the error occurs under these conditions.
In case TLS termination is done by the endpoint that has Certificates storage (for example IIS uses Windows certificates storage an can present the whole chain to the client) no error will occur.
The only way here is to make a pfx certificate which contains the whole certificate chain and use it on Application Gateway.
First method:
The full-chain certificate can be created with the following openssl command:
.\openssl pkcs12 -export -out full_chain_certificate.pfx -inkey cert_private_key.pem.key -in client_cert.pem.cer -certfile root.cer -certfile interm.cer
Pay attention to the order of certificates (-certfile ): root CA certificate (root.cer
) before intermediate certificates (interm.cer
)
All certificates and key in the example above are in pem format.
Second method:
Export full chain pfx from Windows certificate store by marking “Include all certificates…“ in Certificate Export Wizard